Incorrect IP address in the Cloudflare DNS settings (i.e. the request from us was sent to the wrong place)

Offline origin web server

Dropped packets on the host network

Below, you will find additional information for the most common causes.

Overloaded origin web server

A server could be dropping requests as a result of an overload condition. What constitutes a high load can differ depending on the server's hardware and software.

Generally, a load average of over 10-20 could mean that the server is overloaded. To check for this on Linux/Unix, you can run the w or top commands in the terminal window.

If you're unable to verify web server load on your own, check with your host or a system administrator.

Blocked Cloudflare requests

Blocking Cloudflare requests is the most common cause of intermittent 522 errors.

When traffic flows through a Cloudflare-enabled website, the origin web server sees all requests as coming from a handful of Cloudflare IP addresses. This can often trigger firewalls and IP rate-limiters to block Cloudflare requests, thinking that the website is under attack. CPHulk (which comes with cPanel) and other services have been known to do this.

To avoid this situation, make sure that:

Cloudflare IPs are not being blocked in .htaccess, iptables, or your firewall.

Faulty network routing

Faulty network routing between Cloudflare and the origin web server is more difficult to troubleshoot than the other causes. Before checking for this, first rule out the other potential causes.

If you believe network issues might be the cause, file a ticket with Cloudflare support. Useful information to provide in your ticket includes:

Details about what you have checked so far

An MTR or traceroute from your server to a Cloudflare IP address, preferably one of the IP addresses from which you have seen requests from Cloudflare in the past

Disabled keepalives

Cloudflare uses the Keep-Alive header to improve performance. Disabling it in the origin web server causes connections to fail and return a 522 error in some circumstances. This feature is enabled by default in most major web servers, so unless you've explicitly disabled it, this shouldn't be an issue.

Understand how Error 522 is triggered

When someone visits a Cloudflare-enabled website, a connection is established between Cloudflare and the website's origin server. To establish a connection, TCP uses a three-way handshake.

SYN: Cloudflare sends three SYN packets to the origin server.

SYN+ACK: In response, the origin server replies with a SYN+ACK.

ACK: Finally, Cloudflare sends an ACK back to the origin server.

At this point, both Cloudflare and the origin server have received an acknowledgement of the connection, and communication is established. If the origin server does not send a SYN+ACK back to Cloudflare within 15 seconds, a 522 error will occur and the connection is closed.

This diagram illustrates a successful TCP handshake:

The next diagrams shows that the SYN+ACK is not returned from the origin web server within 15 seconds, triggering the Error 522 timeout:

Another condition for an Error 522 timeout occurs when the origin responds with a SYN+ACK and established a TCP connection, but never responds to the request with an ACK within 90 seconds (A 524 condition ACKs the request, but waits too long to send the response). Here is an illustration detailing this scenario:

Checking for these conditions with your server administrator or hosting provider is the best way to resolve these errors. If there is a network problem, a traceroute or MTR from the site origin is also useful.

If you continue to see 522 errors after ruling out the aforementioned possibilities and troubleshooting the issue, contact Cloudflare Support for further investigation.